5

509322

Essentially what I'm wondering about is if there is a standalone highly efficient HIPS product available... That works in conjunction with a AV.
The only standalone HIPS - in terms of a "classical "HIPS - that is actively developed that remains on the market is SpyShelter Premium. It offers Restricted Apps - which are programs added to a list and run with restricted access privileges.

ReHIPS is more of an anti-executable (very similar to NVT ERP) and has the ability for the user to isolate programs both from the real system and from each other by running programs in separate user profiles (ReHIPSUser).

All the standalone HIPS that were on the market years ago - days-gone-by - might still be available for download here and there, and then only for 32-bit systems, are long since abandoned.
 

shmu26

Level 83
Verified
Trusted
Content Creator
To be informed if the program is doing something that it's not supposed to.
I'm with you! I really wish that HIPS would do that.

Unfortunately, the alerts will almost never tell you whether the action is malicious or not. They can only tell you whether it is *potentially* malicious, and if you block everything in that category, your computer will become unusable.

The only standalone HIPS these days is SpyShelter. Download the trial version, and try it out. SpyShelter has a nice HIPS, and its forte is anti-keylogging protection. It is weak on anti-ransomware, though.

ReHIPs is a great program, and definitely one of my favorites, but it does not have a fully developed HIPS like SpyShelter and COMODO and the others do. The HIPS is pretty rudimentary, because the main strength of the software lies in its isolation capabilities.
 
5

509322

I'm with you! I really wish that HIPS would do that.

Unfortunately, the alerts will almost never tell you whether the action is malicious or not. They can only tell you whether it is *potentially* malicious, and if you block everything in that category, your computer will become unusable.

The only standalone HIPS these days is SpyShelter. Download the trial version, and try it out. SpyShelter has a nice HIPS, and its forte is anti-keylogging protection. It is weak on anti-ransomware, though.

ReHIPs is a great program, and definitely one of my favorites, but it does not have a fully developed HIPS like SpyShelter and COMODO and the others do. The HIPS is pretty rudimentary, because the main strength of the software lies in its isolation capabilities.
Unfortunately, you have to practice with most any security software to learn how it works - even Windows Defender. To know what is a bug, to know what is to be expected and what is unexpected, to know its limitations.

Practicing with HIPS involves setting them to "Interactive" mode - which is basically where the HIPS generates an alert for many actions on the system. Only after practicing with the HIPS on a clean system for a good while does the user begin to understand. Then the user can test malware to further hone their skills. On top of it, the user must read product documentation.

Becoming a skilled HIPS user is not that difficult. It just takes time and effort. The problem is that most people do not have the inclination.
 

jamescv7

Level 61
Verified
Trusted
Malware Defender (now integrated on Qihoo 360 products as component, no more stand-alone) is highly known for classical HIPS way back before .

Another strong HIPS goes to Comodo Firewall which even though it undergone numerous adjustment, still the effectiveness is still strong.
 
Malware has gotten so sophisticated that now one cannot rely only on commonsense with some security software.
You need to spend time reading up on security software all the time and modifying your security software and their settings continuously.
For example in spyshelter premium I allow torrent client to only download torrent files and not to do anything else.
also mu torrent has a helper called torrentie.exe which all security softs say is malicious. I block this too from doing anything on my pc.
Then I block flash, adobe reader, browsers, etc. from doing things these are not supposed to do such as access to sound, screenshooting, webcam, code injection, install drivers. etc.
I have also created a folder that I tell spyshelter to only give access to trusted apps.
same with winpatrol WAR that blocks unknown apss form accessing files in the safe zone

Last but not the least user needs to be a bit techsavvy today in the face of increaingly sophisticated threats such as ransomware that has to be blocked at the entry point and after they enter its too late.
 

shmu26

Level 83
Verified
Trusted
Content Creator
Malware has gotten so sophisticated that now one cannot rely only on commonsense with some security software.
You need to spend time reading up on security software all the time and modifying your security software and their settings continuously.
For example in spyshelter premium I allow torrent client to only download torrent files and not to do anything else.
also mu torrent has a helper called torrentie.exe which all security softs say is malicious. I block this too from doing anything on my pc.
Then I block flash, adobe reader, browsers, etc. from doing things these are not supposed to do such as access to sound, screenshooting, webcam, code injection, install drivers. etc.
I have also created a folder that I tell spyshelter to only give access to trusted apps.
same with winpatrol WAR that blocks unknown apss form accessing files in the safe zone

Last but not the least user needs to be a bit techsavvy today in the face of increaingly sophisticated threats such as ransomware that has to be blocked at the entry point and after they enter its too late.
that sound interesting. how do you block unwanted actions in spyshelter?
 

shmu26

Level 83
Verified
Trusted
Content Creator
Unfortunately, you have to practice with most any security software to learn how it works - even Windows Defender. To know what is a bug, to know what is to be expected and what is unexpected, to know its limitations.

Practicing with HIPS involves setting them to "Interactive" mode - which is basically where the HIPS generates an alert for many actions on the system. Only after practicing with the HIPS on a clean system for a good while does the user begin to understand. Then the user can test malware to further hone their skills. On top of it, the user must read product documentation.

Becoming a skilled HIPS user is not that difficult. It just takes time and effort. The problem is that most people do not have the inclination.
the problem is that some people expect too much from their HIPS.

As you say, an educated user can tell when his installed app is doing something unusual.

And an average user can block a process that looks suspicious to him, if he is doing something vulnerable, like surfing the internet or opening a PDF file. Usually, no damage will be done by blocking a process.

But a problem arises when the user installs a new and unfamiliar app. There, you can't rely on the HIPS prompts to tell you when it's getting malicous. It's almost impossible to know that, during the installation process.
 
5

509322

the problem is that some people expect too much from their HIPS.

As you say, an educated user can tell when his installed app is doing something unusual.

And an average user can block a process that looks suspicious to him, if he is doing something vulnerable, like surfing the internet or opening a PDF file. Usually, no damage will be done by blocking a process.

But a problem arises when the user installs a new and unfamiliar app. There, you can't rely on the HIPS prompts to tell you when it's getting malicous. It's almost impossible to know that, during the installation process.
The point of HIPS is to lock down the system - and protect the existing, verified clean system against malicious modification and abuse. It's the conservative way to use HIPS.

For even knowledgeable users with extensive HIPS experience, the only truly meaningful alert is the execution alert. If it isn't supposed to be running, then block it. To be able to do that only requires an awareness of what is installed and should be running on the system system.

Anyhow, if one practices with HIPS, then one will surely learn unless just plain brain dead. For example, an unknown non-installer file located in User Space that requests elevated privileges and attempts to execute a host processes\interpreter in System Space should be blocked. Gaining knowledge of other such patterns is accomplished by doing.

For everybody else there are default allow solutions.
 
Last edited by a moderator:

shmu26

Level 83
Verified
Trusted
Content Creator
The point of HIPS is to lock down the system - and protect the existing, verified clean system against malicious modification and abuse. It's the conservative way to use HIPS.

For even knowledgeable users with extensive HIPS experience, the only truly meaningful alert is the execution alert. If it isn't supposed to be running, then block it. To be able to do that only requires an awareness of what is installed and should be running on the system system.

Anyhow, if one practices with HIPS, then one will surely learn unless just plain brain dead. For example, an unknown non-installer file located in User Space that requests elevated privileges and attempts to execute a host processes\interpreter in System Space should be blocked. Gaining knowledge of other such patterns is accomplished by doing.

For everybody else there are default allow solutions.
Jeff, what is your opinion about the ability of SpS to protect the system? I know that it specializes in keylogger protection, but what do you think of its capabilities to protect from other threats?
And does it do its job reliably, without bugs and glitches, or is it hit-and-miss?
 
5

509322

Jeff, what is your opinion about the ability of SpS to protect the system? I know that it specializes in keylogger protection, but what do you think of its capabilities to protect from other threats?
And does it do its job reliably, without bugs and glitches, or is it hit-and-miss?
SpyShelter is very capable of protecting the system. SpyShelter can protect against all physical system threats - if the user blocks execution. On the other hand, if you allow something to execute, and it smashes the system, then you allowed the system to get smashed. That is true of all HIPS (as well as just about everything else).

SpShelter is very reliable. Of course it has bugs - mostly minor GUI\annoyance stuff. It has its operational quirks, but there is nothing bad enough to not use it. It's no different than AppGuard - which has bugs too. Humans + Code = Bugs.
 
Last edited by a moderator:

shmu26

Level 83
Verified
Trusted
Content Creator
SpyShelter is very capable of protecting the system. SpyShelter can protect against all physical system threats. If you allow something to execute, and it smashes the system, then you allowed the system to get smashed. That is true of all HIPS (as well as just about everything else).

SpShelter is very reliable. Of course it has bugs - mostly minor GUI\annoyance stuff. It has its operational quirks, but there is nothing bad enough to not use it.
why do people say it is weak against ransomware? Has that been fixed recently?
 
Great questions and Great answers guys.
sps has a number of actions and for each executable / dll I allow what that needs to do and no more.
I learnt by trial and error and now have a fairly decent set of rules that I could share with you.
I do a lot of installing and uninstalling and so i run the risk of breaking the system.
I backup daily and restore if need be. As i said, you need to spend time learning or depend on the experts here at MT.
I have been using sps for several years now.
sps is strong against ransomware as it notifies user if any app tries to access files in the protected folder.
I f Ransomware hijacks a trusted system file / process or tries to inject code sps will alert you

ransomware will typically run from a user interaction or a driveby download which should be blocked by other softs such as Win WAR (files in safe zone) and preemptive strike or Win patrol Firewall blocks access to the internet first and asks questions later or by NVT ERP if any malware tries to do something fishy in Memory.

Basically, if you have doubts, or do not have the knowledge, block first.

As I said first, this is the problem with Technology today. The more advanced you get the more you find there are problems.
Today, elders and children alike need to be tech savvy or they will face problems with their PC.

If they do not use security softs they will end up getting infected.
If they use security softs they will be protected only upto a point beyond which user needs to decide,
cheers
 
Last edited: